Low cost automation

Posted date 22/03/2018
Autor
INCIBE (INCIBE)
Low cost automation

Energy consumption and security are the biggest concerns for designers of integrated systems, but the cost and functionality of the computers themselves must also be taken into account. That's why low-cost technological solutions based on free hardware are becoming increasingly more important in the Internet of Things and Industry 4.0.

In addition to energy limitations, many applications also have requirements for storage and safe communication. Registration of data, loading files from external sources (memory, USB drives, etc.) or the sending of information via another means of communication requires encryption in order to protect integrity. That's why more micro controllers are increasingly appearing with hardware encryption capabilities, reducing the overload of software, increasing security and reducing energy consumption. For example, AES hardware encryption is 10 times faster than on the software, with all the advantages this brings.

These microcontrollers are included in so-called Single Board Computers (SBCs), with Arduino and Raspberry Pi the leading exponents.

Different SBC models

-Different SBC models-

Raspberry and Arduino in Industry

Many SBC systems are incorporated into industry with different tasks, mainly for training, thanks to the versatility and the cost savings they offer. Their hardware is not specifically designed to function in the difficult conditions of the industrial environment but there are basic solutions based on SBC that are capable of supporting electrical noise, vibrations or the humidity conditions that might be found in in any industrial process.

Arduino and Raspberry are, thanks to their simplicity, usability and international availability of the product, the main supports used to create devices oriented towards industry.

The use of these devices is increasing in number in tune with the increase in number of expansion boards for them. There are increasingly more sensors, and with greatest precision; new communications connectors, support for more industrial protocols and new peripherals. And added to all of that is the extensive community currently developing new functions thanks to the use of free software and the ease with which projects can be shared.

Native protocols for low-cost systems

The hardware itself of these devices does not allow for communication in many standard protocols in control systems but through extra hardware or certain software that is possible to add these capacities.

The Raspberry is the most versatile board; by being able to use a commercial operating system (Linux) it offers more possibilities for including software libraries and modules for incorporating new protocols. Thus, Raspberry is capable of using any protocol based on Ethernet depending on the software installed. The available protocols include:

  • DNP3
  • POWERLINK
  • EtherCAT
  • Modbus / Modbus TCP
  • ProfiNET
  • OPC UA
  • Ethernet/IP

Example of the function of Raspberry in control systems

-Example of the function of Raspberry in control systems-

Arduino boards experience more problems as their programming capacities are limited. Nevertheless, a long list of protocols has been incorporated, highlighting in particular:

  • OPC
  • Modbus
  • EtherCAT
  • I2C
  • SPI
  • S7
  • CAN bus

In this case, the majority require additional hardware and many of these are designed to be used for communications series R232 or RS-485.

Of all the list of protocols shown, excluding OPC UA, none of the protocols provides security. These are old protocols and the majority are very simple and used for providing communication and optimisation for transmissions that do not take security into account when it comes to development.

Hardening Raspberry

As it is no longer possible to improve protocols that use these devices in industrial environments, at the very least we must ensure that the device itself does offer security in access to the operating system. In this case we will focus on Raspberry, as Arduino has no access to the system.

Raspberry, used in the standard way with Linux systems, offers two versions on its own website. Of these, the one recommended for use with libraries and software designed for industrial systems is the Raspbian distribution. The security recommendations for this system are:

  1. Change default system password. This deactivates automatic access to the operating system, which could be used to view information from a screen connected to the Raspberry and to perform actions on the Raspbian desktop.
  2. Disable unnecessary hardware. In order to use the inputs and outputs provided by the hardware, we must enable ports as SPI or GPIO, but if it is going to be used as a HMI or is only going to use Ethernet communications all these other ports must be disabled.
  3. Remove accessory software. As Raspberry is a version of Linux, it boasts many services that do not have to be used in the new hardware function. These services include FTP, MySQL, office applications, etc. which must be uninstalled or disabled.
  4. Change the default ports of device management services. Integrates SCADA programmes usually communicate through SSH, making it advisable to change the password of the service and even change the port by default of the service.
  5. Install and configure iptables. The advantage of being a Linux system is that that it allows for the firewall which is going to be integrated in the operating system to be enabled. Thus, information that enters and leaves the device can be protected.
  6. Activate the log. This way it is possible to check the satisfactory accesses and failures. If possible, send the messages generated externally to the device to a centralised system so that the hardware does not end up without disk space.
  7. Maintain the system up to date. It will not be a simple task when it is integrated in an industrial network, but automating the updates through the use of a cron or cron-apt service will allow for the system to remain free of errors.

Example: CoDeSys for Raspberry Pi

CoDeSys is one of the most important SCADAs at international level and a packet has been developed to be a use Raspberry PI devices as if they were a PLC.

To carry out the tests of this solution, we've implemented that which is displayed in the following image in a controlled environment. In this case, the Raspberry becomes the HMO, assuming the role of gathering data from the ModBus Slave and offering them to the operator through a website; but we could also have used the Raspberry directory as a PLC and capture the sensor signals and actuators using their communications ports GPIO, SPI, etc.

Assembly of Raspberry for CoDeSys configuration

-Assembly of Raspberry for CoDeSys configuration-

On this occasion, we are not so much interested in the security of the industrial protocols it allows us to use, the weaknesses of which have been pointed out on numerous occasions, but the security required by Raspberry and the communication with the engineering statement to avail of programming.

These packets are managed from the CODESYS Developments System located in the engineering station. From here it is possible to install the packet on a Raspberry PI device accessible by network, the loading and installation and possible updates, previous actions will be performed via SSHv2. For this communication it is necessary to configure the IP address and the SSH access credential and to use two sessions to install the packet.

Configuration of IP and credentials for communication through SSH

-Configuration of IP and credentials for communication through SSH-

Wireshark

Display of SSH traffic during the installation of the packet on Raspberry

-Display of SSH traffic during the installation of the packet on Raspberry-

Now all that is left is to create the project and the corresponding programming and load it to the Raspberry. The project is developed locally selecting the protocols to be used, adding variables and even with the option of deploying a HMI. This project is again uploaded through UDP communication.

Uploading of new project in Raspberry

-Uploading of new project in Raspberry-

During the test phase, the Raspberry and the development centre are communicated through UDP packets. This communication must be carried out in a controlled environment, a there is no security in place.

The HMI is published in the Raspberry through the 8080 port. The program does not require access control or encryption of communications (HTTPS) by default, meaning the possibilities to be offered from this resource must be assessed appropriately.

Access control must be implemented during programming. Configuration of the communication is performed through the configuration files within the Raspberry itself.

Login dialogue box for inserting visualizations in CoDeSys

-Login dialogue box for inserting visualizations in CoDeSys-

Change in server configuration to add security to HMI

-Change in server configuration to add security to HMI-

By way of summary, the following table includes the measures to be applied to elevate the level of security and ensure that a Raspberry PI used as PLC has sufficient protection and guarantees that the existing programming is sent from the engineering station.

Table security measures

-Security measures-

Etiquetas